Analysis Date2014-09-07 20:59:56
MD53b54cee359b91045d84ab4abc7ad8105
SHA19db0c2626e1843856f98fbe2172a14f85cdafddc

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ef0296ec5fd35d019b787dc8602502b8 sha1: 3dd1ddf602ca8116e892446012e8da3f0f83581e size: 13824
Section.rdata md5: ba011ef131b62d5a68efadc79d11b069 sha1: 7a33dd1b17c0230aa6106311071b74cb1a9fc25d size: 3072
Section.data md5: aff4cd4197251c9b8541c0f0e1c05b1e sha1: e4aca443bcad65ebd09ac145490f9e5b699b2986 size: 110592
Section.rsrc md5: 59a12bb7b3f77350882b260a0c7343fe sha1: 6e613bb99a6206a630d59fccfe7a89972fbebc3e size: 5120
Timestamp2010-01-18 07:25:28
VersionLegalCopyright: Copyright © 2010 Setup Technologies
InternalName: r SetUp Ex lZ
FileVersion: 3.0.0.0
CompanyName: Jordan Russell
LegalTrademarks:
Comments:
ProductName: f Internet Security VQ
ProductVersion: 3.0.0.0
FileDescription: Setup Self-Extractor 5F
OriginalFilename: r SetUp Ex lZ
PEhash68046a50fd5491a68acc37f7e9f9d9b984476eb3
IMPhashde9d1227875eeb8c5ba01955a9718916

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\CY08W456F0\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\CY08W456F0 ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNStopkio.com
Winsock DNSftuny.com

Network Details:

DNSwsj.com
Type: A
205.203.140.1
DNSwsj.com
Type: A
205.203.140.65
DNSwsj.com
Type: A
205.203.132.1
DNSwsj.com
Type: A
205.203.132.65
DNSfastclick.com
Type: A
64.156.167.84
DNSnifty.com
Type: A
210.131.4.217
DNSftuny.com
Type: A
208.73.211.250
DNSftuny.com
Type: A
208.73.210.211
DNSftuny.com
Type: A
208.73.211.167
DNSftuny.com
Type: A
208.73.211.244
DNStopkio.com
Type: A
DNSphreeway.com
Type: A
DNStirefondn.com
Type: A
HTTP POSThttp://ftuny.com/borders.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 208.73.211.250:80

Raw Pcap
0x00000000 (00000)   504f5354 202f626f 72646572 732e7068   POST /borders.ph
0x00000010 (00016)   70204854 54502f31 2e310d0a 41636365   p HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a436f6e 74656e74   pt: */*..Content
0x00000030 (00048)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000040 (00064)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000050 (00080)   6c656e63 6f646564 0d0a5573 65722d41   lencoded..User-A
0x00000060 (00096)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000070 (00112)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000080 (00128)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000090 (00144)   204e5420 352e3029 0d0a486f 73743a20    NT 5.0)..Host: 
0x000000a0 (00160)   6674756e 792e636f 6d0d0a43 6f6e7465   ftuny.com..Conte
0x000000b0 (00176)   6e742d4c 656e6774 683a2033 34310d0a   nt-Length: 341..
0x000000c0 (00192)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x000000d0 (00208)   2d416c69 76650d0a 43616368 652d436f   -Alive..Cache-Co
0x000000e0 (00224)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x000000f0 (00240)   0a0d0a64 6174613d 2f436a45 665a4453   ...data=/CjEfZDS
0x00000100 (00256)   76787143 694b306c 74554d31 7579322f   vxqCiK0ltUM1uy2/
0x00000110 (00272)   79753455 3559704e 6d31762f 2f6a546e   yu4U5YpNm1v//jTn
0x00000120 (00288)   6756632b 774d732b 2b5a426a 375a5359   gVc+wMs++ZBj7ZSY
0x00000130 (00304)   54723369 426b472f 672b3756 43432f30   Tr3iBkG/g+7VCC/0
0x00000140 (00320)   70427676 4f487037 65526348 5069596f   pBvvOHp7eRcHPiYo
0x00000150 (00336)   3939494d 55756a67 55573462 76544964   99IMUujgUW4bvTId
0x00000160 (00352)   4e2f6a50 58754750 6a61427a 786c6363   N/jPXuGPjaBzxlcc
0x00000170 (00368)   356d704e 30316136 742f5169 53585877   5mpN01a6t/QiSXXw
0x00000180 (00384)   707a3948 6d306b7a 39664266 61556e31   pz9Hm0kz9fBfaUn1
0x00000190 (00400)   30782f47 4c636f66 52694834 4c764673   0x/GLcofRiH4LvFs
0x000001a0 (00416)   41694759 46736169 6f4d5730 374b3045   AiGYFsaioMW07K0E
0x000001b0 (00432)   33726b6b 334d655a 55796744 654c4777   3rkk3MeZUygDeLGw
0x000001c0 (00448)   32733132 2b6f504d 4e726e4a 5a637a68   2s12+oPMNrnJZczh
0x000001d0 (00464)   7a5a3878 694e5775 3554674f 6871344f   zZ8xiNWu5TgOhq4O
0x000001e0 (00480)   71555330 424d5464 4b32625a 792f6878   qUS0BMTdK2bZy/hx
0x000001f0 (00496)   33546e6d 47795446 4c48684c 6352662b   3TnmGyTFLHhLcRf+
0x00000200 (00512)   76417a49 4f424e6d 76343343 444b3251   vAzIOBNmv43CDK2Q
0x00000210 (00528)   30354156 636d4138 324b6854 66557373   05AVcmA82KhTfUss
0x00000220 (00544)   2f476f6c 77786c6d 396b4c6e 726e6c49   /Golwxlm9kLnrnlI
0x00000230 (00560)   2b355536 6e333664 2f33346b 6f6c5631   +5U6n36d/34kolV1
0x00000240 (00576)   6136516e 2b773d3d                     a6Qn+w==


Strings
.
m2^E
..
%
.
.
C
.X.
3C..pX.{0
Mu
040904E4
 2010  Setup Technologies 
3.0.0.0
BBABORT
Cannot open file "%s". %s
Comments
CompanyName
Copyright 
DVCLAL
Error reading %s%s%s: %s
Failed to get data for '%s'
FileDescription
FileVersion
f Internet Security VQ
InternalName
Invalid argument to date encode
Invalid argument to time encode
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid property element: %s
Invalid property path
Invalid property type: %s
Invalid property value
Invalid stream format$''%s'' is not a valid component name
Jordan Russell
LegalCopyright
LegalTrademarks
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
MS Sans Serif
mvWNe
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters!'%s' is not a valid integer value('%s' is not a valid floating point value
OriginalFilename
Out of memory
ProductName
ProductVersion
Property is read-only
Property %s does not exist
Resource %s not found
r SetUp Ex lZ
 Setup Self-Extractor 5F
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Stream read error
Stream write error
StringFileInfo
TEXTFILEDLG
Translation
VarFileInfo
VS_VERSION_INFO
 ~::_-
06QR?v
'<^0c9
0 o(/h
0w%$GF
`.(1Vz&eLtE
2/${1e
!?26UQ
2AX0Wx7r
2NVA|cP
33333333?333333
333333333333333333
3333333333333338
3333339
333338
33333833
333838
`$!3wC
~4p"Fw
]5\?}3
5`?6`Rj
.5FtLj
6:1+7N
6rLb0,
?6RS!+M
/#6V@n+
:6x(zQ
7a4KH8
7!XpfpR
85`/Jg
8JKt7>e$
8lanr}V/
8xvAO/\9
9#5r5+z
99~Jz[
9A4t$	
a92ZPX
AA3/6-
ActivateKeyboardLayout
\AdH0!,
ahErby
aHFX8S
A*O<S.
Apr f8b2
aqOqgt
|At@@@
.AUdDV
aXJ'!V8)
!={ >b
BCNo:u
_B#Ds0
BeginPaint
b&$R:L*
bW93'!y
cbBPgN
CharToOemA
cK0DfB
CP60(/
CreatePopupMenu
CZS+PN.
;CZ	Sr
+ D^9^
@.data
DefFrameProcA
DefMDIChildProcA
DefWindowProcA
De	@PL
DestroyCursor
DestroyIcon
DispatchMessageA
DrawAnimatedRects
DrawEdge
DrawFrameControl
DrawMenuBar
D>TN(F,
(~E;0tqT
EgBvKp
EnumChildWindows
E@Qm6t
EqualRect
ExitProcess
<&~F<(;
<$@>	F4
f76G[]
FC}#CND
FERLUtpG
FfGf93
FindWindowA
	;fJP3
FrameRect
fzrPzC
gbSh3`
GetClassInfoA
GetClassLongA
GetClipboardData
GetCursorPos
GetDCEx
GetForegroundWindow
GetKeyboardLayoutNameA
GetKeyNameTextA
GetKeyState
GetMenu
GetMessagePos
GetParent
GetSysColor
GetSystemMetrics
GetTickCount
GetTopWindow
GetVersion
GetVersionExA
GetWindow
GetWindowLongA
GetWindowPlacement
GetWindowRect
GetWindowTextLengthA
_gFWDQTvySS@12
=GmZa+
gteFsR
_GydhCKWLljgtXf@24
hm@1Le
H**P	k
h/@QP(^@
!Hu0,KMe
~i"$0T
I1sSQI
i jbAB
ik(F<*
I>lp7Q
InvalidateRect
IsCharLowerA
IsChild
IsDialogMessageA
IsDialogMessageW
IsRectEmpty
IsZoomed
|j@2zY
jLVu+S
JTW0ihZZ
j#W'mp$
jypDd:Y
j]Z|F<
KERNEL32.dll
k#)M	q
[KNM`53bJ
^^)Kv+
kv{'KF
L]f5XA
"l?}m 
LoadIconA
LoadLibraryA
LpYbGiT
L<qFC<P
lWF;ff|
MapWindowPoints
MessageBoxA
M,F_@{
|,MhC<hVs
mN:@Yg
M~rrk#
MsgWaitForMultipleObjects
#MU1l*
=N!.fC%
n[]klo
NLN(Cf]
+N Sfw
~/nx3&
o	h6&x
OmhQP;
O	>OH0Q<
OpenClipboard
oT3tLFtl8e
:p8B^J
pBln /
;pDtno6xZF*
>"P:FC
p?NpW6
P(oH|J
PySt5pL
q0MOhVS8Gg
qESN8ZgPB
_qNILHmOh5JM
qP;CgL
_qRkNJO14
qSL8DY
r5Vt3Tq
`.rdata
ReleaseCapture
rh3zCkF
RQom0@
r SetUp Ex lZ
S}1mFt
@S$?8]
ScreenToClient
_sDokkQt5
SetCapture
SetCursor
SetFocus
SetMenuItemInfoA
SetParent
SetScrollInfo
SetTimer
ShowWindow
sSHxLA3
!T.+6%
t8#gt@
t*@C:X
	tE%eZ
This program must be run under Win32
tIxF3i
[t*~Jb1
tSlA-Bxo
:t[V@r
t-y`8/
uD8tmU
ui!KFl
u@_#j`
~uLRd 
UNIQSTRoXG9
urCcjbTh
USER32.dll
uSW|N.
u-	,V1
uV>K7c
* Ux.RQ
v2k0vfb
VirtualAllocEx
vLXozbT
Vriy=x
vWx 18%
W;?	bf
wD*9YG
WindowFromPoint
WjPoC#P
wPef3E
Wt3E9b
Ww^	%{
=xdp*R
Xf/.X6
xjbe3H
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
_XuxbcvY@16
!Z5G#]
^ZcMbp
zG@}.6
zHYW3K